All,
There is extended support for win7 available, cost depends on your organization relationship with Microsoft.
See the link below for the pay version, some versions are free if you have an enterprise license.
Maybe Biesse can look into Ecosystem Partner Servicing Offering for embeded updates as an alternate. I believe the cost is the equivalent of Windows 10 Pro cost /3 and the extended support ends in 3 years.
We have a Rover with embededXP, from the machine. We created a shared folder on the machine that is shared to members of the machine work group. We can write to the machine and copy files off of the machine. You can logon by machinename\username and using the workgroup as domain and the username.
If your machine name is Biesse1 and the Work group is Biesse and the username is Biesse then the logon would be
\Biesse1\Biesse and the password is the machine password or account password.
The machine companies logic of not allowing updates is solid logic, if Microsoft issues an update that interferes with the machine operation then the machine goes down. Its safer to sandbox the machine form the network and restrict access.
Our rover can see Biesse America, Italy and use Team viewer, thats it, the internet is blocked, our network is blocked expect specific pc's and specific times.
For all machines we create ghost drive of the machines hard drive, a copy of that drive which is kept offsite and an online backup of that drive.
We use a 3rd IT company that monitors our network 24x7; keeps all updates installed on the network EXCEPT floor machines.
The biggest threat now is ransomware and intrusion.